During the ‘while’ loop that reads the characters which is shown above, it uses the ‘cc’ character obtained directly from the VF file using fuget1() routine as an index to the ‘font->chars[]’ array. However, it lacks some checks that could lead to using an invalid index that will eventually result in arbitrary read/write operations.
To fix this the following patch was applied.